from:"Xinyong"

[PATCH 1/1] usb: gadget: f_fs: Fix use-after-free in ffs_fs_kill_sb()

2018-03-02 Thread Xinyong

When I debug a kernel crash issue in funcitonfs, found ffs_data.ref
overflowed, While functionfs is unmounting, ffs_data is put twice.

Commit 43938613c6fd ("drivers, usb: convert ffs_data.ref from atomic_t to
refcount_t") can avoid refcount overflow, but that is risk some situations.
So no need put ffs data in ffs_fs_kill_sb, already put in ffs_data_closed.

The issue can be reproduced in Mediatek mt6763 SoC, ffs for ADB device.
KASAN enabled configuration reports use-after-free errro.

BUG: KASAN: use-after-free in refcount_dec_and_test+0x14/0xe0 at addr 
ffc0579386a0
Read of size 4 by task umount/4650

BUG kmalloc-512 (Tainted: PW  O   ): kasan: bad access detected
-

INFO: Allocated in ffs_fs_mount+0x194/0x844 age=22856 cpu=2 pid=566
alloc_debug_processing+0x1ac/0x1e8
___slab_alloc.constprop.63+0x640/0x648
__slab_alloc.isra.57.constprop.62+0x24/0x34
kmem_cache_alloc_trace+0x1a8/0x2bc
ffs_fs_mount+0x194/0x844
mount_fs+0x6c/0x1d0
vfs_kern_mount+0x50/0x1b4
do_mount+0x258/0x1034
INFO: Freed in ffs_data_put+0x25c/0x320 age=0 cpu=3 pid=4650
free_debug_processing+0x22c/0x434
__slab_free+0x2d8/0x3a0
kfree+0x254/0x264
ffs_data_put+0x25c/0x320
ffs_data_closed+0x124/0x15c
ffs_fs_kill_sb+0xb8/0x110
deactivate_locked_super+0x6c/0x98
deactivate_super+0xb0/0xbc
INFO: Object 0xffc057938600 @offset=1536 fp=0x  (null)
..
Call trace:
[] dump_backtrace+0x0/0x250
[] show_stack+0x14/0x1c
[] dump_stack+0xa0/0xc8
[] print_trailer+0x158/0x260
[] object_err+0x3c/0x40
[] kasan_report_error+0x2a8/0x754
[] kasan_report+0x5c/0x60
[] __asan_load4+0x70/0x88
[] refcount_dec_and_test+0x14/0xe0
[] ffs_data_put+0x80/0x320
[] ffs_fs_kill_sb+0xc8/0x110
[] deactivate_locked_super+0x6c/0x98
[] deactivate_super+0xb0/0xbc
[] cleanup_mnt+0x64/0xec
[] __cleanup_mnt+0x10/0x18
[] task_work_run+0xcc/0x124
[] do_notify_resume+0x60/0x70
[] work_pending+0x10/0x14

Cc: sta...@vger.kernel.org
Signed-off-by: Xinyong <xinyong.f...@linux.alibaba.com>
---
 drivers/usb/gadget/function/f_fs.c |1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/usb/gadget/function/f_fs.c 
b/drivers/usb/gadget/function/f_fs.c
index c2592d8..d2428a9 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -1538,7 +1538,6 @@ static int ffs_fs_parse_opts(struct ffs_sb_fill_data 
*data, char *opts)
if (sb->s_fs_info) {
ffs_release_dev(sb->s_fs_info);
ffs_data_closed(sb->s_fs_info);
-   ffs_data_put(sb->s_fs_info);
}
 }
 
-- 
1.7.9.5

[PATCH 1/1] usb: gadget: f_fs: Fix use-after-free in ffs_fs_kill_sb()

2018-03-02 Thread Xinyong

When I debug a kernel crash issue in funcitonfs, found ffs_data.ref
overflowed, While functionfs is unmounting, ffs_data is put twice.

Commit 43938613c6fd ("drivers, usb: convert ffs_data.ref from atomic_t to
refcount_t") can avoid refcount overflow, but that is risk some situations.
So no need put ffs data in ffs_fs_kill_sb, already put in ffs_data_closed.

The issue can be reproduced in Mediatek mt6763 SoC, ffs for ADB device.
KASAN enabled configuration reports use-after-free errro.

BUG: KASAN: use-after-free in refcount_dec_and_test+0x14/0xe0 at addr 
ffc0579386a0
Read of size 4 by task umount/4650

BUG kmalloc-512 (Tainted: PW  O   ): kasan: bad access detected
-

INFO: Allocated in ffs_fs_mount+0x194/0x844 age=22856 cpu=2 pid=566
alloc_debug_processing+0x1ac/0x1e8
___slab_alloc.constprop.63+0x640/0x648
__slab_alloc.isra.57.constprop.62+0x24/0x34
kmem_cache_alloc_trace+0x1a8/0x2bc
ffs_fs_mount+0x194/0x844
mount_fs+0x6c/0x1d0
vfs_kern_mount+0x50/0x1b4
do_mount+0x258/0x1034
INFO: Freed in ffs_data_put+0x25c/0x320 age=0 cpu=3 pid=4650
free_debug_processing+0x22c/0x434
__slab_free+0x2d8/0x3a0
kfree+0x254/0x264
ffs_data_put+0x25c/0x320
ffs_data_closed+0x124/0x15c
ffs_fs_kill_sb+0xb8/0x110
deactivate_locked_super+0x6c/0x98
deactivate_super+0xb0/0xbc
INFO: Object 0xffc057938600 @offset=1536 fp=0x  (null)
..
Call trace:
[] dump_backtrace+0x0/0x250
[] show_stack+0x14/0x1c
[] dump_stack+0xa0/0xc8
[] print_trailer+0x158/0x260
[] object_err+0x3c/0x40
[] kasan_report_error+0x2a8/0x754
[] kasan_report+0x5c/0x60
[] __asan_load4+0x70/0x88
[] refcount_dec_and_test+0x14/0xe0
[] ffs_data_put+0x80/0x320
[] ffs_fs_kill_sb+0xc8/0x110
[] deactivate_locked_super+0x6c/0x98
[] deactivate_super+0xb0/0xbc
[] cleanup_mnt+0x64/0xec
[] __cleanup_mnt+0x10/0x18
[] task_work_run+0xcc/0x124
[] do_notify_resume+0x60/0x70
[] work_pending+0x10/0x14

Cc: sta...@vger.kernel.org
Signed-off-by: Xinyong 
---
 drivers/usb/gadget/function/f_fs.c |1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/usb/gadget/function/f_fs.c 
b/drivers/usb/gadget/function/f_fs.c
index c2592d8..d2428a9 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -1538,7 +1538,6 @@ static int ffs_fs_parse_opts(struct ffs_sb_fill_data 
*data, char *opts)
if (sb->s_fs_info) {
ffs_release_dev(sb->s_fs_info);
ffs_data_closed(sb->s_fs_info);
-   ffs_data_put(sb->s_fs_info);
}
 }
 
-- 
1.7.9.5

[PATCH 1/1] usb: gadget: f_fs: Fix use-after-free in ffs_fs_kill_sb()

[PATCH 1/1] usb: gadget: f_fs: Fix use-after-free in ffs_fs_kill_sb()

2 matches

Site Navigation

Mail list logo

Footer information